Manage SSH Access Automatically Using GitHub Teams
Most of the software projects that we see at Stack Builders have a couple of things in common: they use GitHub to manage access to source code, and they deploy to Linux servers. Developers are granted permission to access the servers by adding ther SSH public keys to
How much simpler can we make this process? For a long time, GitHub has exposed users' public keys via an API endpoint. Why not use these keys to automatically grant GitHub users on your team permission to log in to your Linux servers?
It turns out that a configuration option,
AuthorizedKeysCommand, was recently added to the OpenSSH daemon. The idea of this configuration option is that you simply point the ssh daemon to an executable on your system, and the valid public keys for a given user will be read from the output of the command.
So far, it looks like the open-source uses of this command are restricted to pulling keys from LDAP. We decided to roll our own integration between GitHub and OpenSSH, and we have it in use on some test servers internally. Voilà! Changing permissions on an entire server cluster is simply a matter of adding or removing a GitHub user from a team.
Of course, using this means that your servers are only as secure as your GitHub account, and GitHub's own security mechanisms for keeping your account safe (we'd suggest at least enforcing two-factor authentication on GitHub if you use this approach seriously, since by using this, anyone who can manage your GitHub teams can log in to your servers by simply adding their GitHub account to your team). If you're willing to accept that risk, consider giving
openssh-github-keys a shot.
Ready to give it a try? Let us know how it works in the comments on this page, or open an issue on the
openssh-github-keys tracker if you have any problems.